Even though having an information security plan is a foundational element of information security and a core concept to all information security frameworks (e.g., ISO 27001, NIST/FISMA, etc.), it’s still unusual for most SMBs/SMEs to have one. I think a big part of the challenge is that there is some ambiguity to what an information security plan is (and isn’t).
Ideally, an information security plan is a document that outlines near- (0-6 months), mid- (6-18 months), and longer-term (18-36 months) objectives/improvements for your information security program:
- The near-term objectives will likely tie to ongoing projects, assessment findings, and ongoing risk mitigations.
- The mid-term objectives will likely tie to planned projects and critical initiatives like ISO 27001 certification, technology/cloud migrations, and new products/services the business is developing.
- The longer-term objectives are less explicit and are more about “moving toward goals,” such as migration from DevOps to SecDevOps, or aligning your information security program with the NIST Cybersecurity Framework.
It’s important to think of the plan as being fluid. I like to think of it as a “living document” that evolves with changes to the threat environment, technology, laws, regulations, client expectations, etc.
Developing an information security plan generally requires you to tackle these four steps:
- Understand your organization’s context/scope
- Understand current information security controls
- Identify and analyze information-related risk
- Build a risk treatment plan
Now let’s take a look at what is generally involved in each of these steps.
1. Understanding Organization Context/Scope
To develop an information security plan, it is critical to understand your organization, its business goals, and its information security expectations. An easy way to think about this is: What information do we need to protect? And what are the processes that act on that information?
Understanding the processes requires that you understand and document the people, systems and hard assets (e.g., employees, contractors, vendors, hardware, software, physical offices, data centers, networks, etc.) that support these processes. The easiest way to gather this information is via a sequence of interviews with an organizational cross-section of the right people, such as:
- Business and/or Product Management
- Information Technology
- Information Security
- Human Resources
- Physical Security
- Legal & Compliance
Put simply, scoping is about understanding everything that influences information related risk and associated risk management decisions. If you’re familiar with ISO 27001, this process is comparable to an ISMS Scoping exercise.
2. Understanding Information Security Controls
A big factor in any information security plan is, unsurprisingly, the strength and maturity of the current information security program. There is a lot of overlap between understanding this and understanding your organizational scope.
You may choose to assess the controls independently after the risk assessment as a conventional “gap assessment,” or you may choose to gather this information during the scoping process as a “controls understanding/enumeration.” My thought process has evolved over the years from favoring the former to favoring the latter—but either approach works. Assuming the latter, the focus here is on understanding what information security controls are in place and the extent to which they are implemented and operated. It’s not yet about “assessing” (passing judgement) as you won’t yet understand risk enough to contextualize the assessment. Instead, it’s about understanding/documenting what is being done currently.
The easiest way to gather this information is via artifact review (e.g., policies, standards, procedures, audit/assessment findings, penetration test results, incident reports, etc.) and discussions with your IT and information security staff.
Control enumeration scoping is about understanding the information security controls in place so you can determine during the risk assessment whether those controls are effective.
3. Identifying and Analyzing Information Related Risk
A key factor in any information security plan is the risks posed to your information assets and whether those risks are reduced to a level you are comfortable with. This process is often referred to as a risk assessment, which is comprised of risk identification and risk analysis.
During the previous two steps, you will have already identified a number of risks (despite the fact that this was not yet your intent). In this phase, the initial focus is on identifying all the additional risks to your organization’s information related assets (risk identification). Once you have a firm understanding of all the risks, you can then assess (and document) which risks are currently being effectively managed by information security controls already in place, and which are not yet effectively managed (risk analysis). This involves consideration of the likelihood of a risk being realized, taking into account the current information security controls in place, along with the impact that risk realization would have on your organization.
In a nutshell, risk assessment is the process of identifying the universe of risks to your information assets and determining if/which of those risks necessitate improvements in your information security program.
4. Building a Risk Treatment Plan
Once you understand which risks need to be addressed, you can develop a plan to improve the security controls to reduce the risks to a level that the business is comfortable with (risk treatment). That group of risk treatments (ideally approved by senior management) is generally referred to as a Risk Treatment Plan. This is a simple, near-term, tactical Information Security Plan.
For many SMB/SMEs, this Risk Treatment Plan is all you will need until all risks of note are effectively managed. Longer-term, there may be some value to translating it to a more formal “strategic” plan that provides a longer-term vision for your information security program.
As I wrote recently, “information security is about having a plan.” Based on the above analysis and fact-finding, your information security plan will give you a prioritized view of planned improvements to more effectively manage risk in accordance with management’s directive.